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Characterizing  Kripke  Structures  in  Temporal  Logic 

M.  C.  Rrowne 
E.  M.  Clarke 
O.  Grumberg 

Carnegie  Mellon  University,  Pittsburgh 


1.  Introduction 

^The  question  of  whether  branching-time  temporal  logic  or  linear-time  temporal  logic  is  best  for  reasoning 
about  concurrent  programs  is  one  of  the  most  controversial  issues  in  logics  of  programs.  Concurrent 
programs  are  usually  modelled  by  labelled  state-transition  graphs  in  which  some  state  is  designated  as  the 
initial  state.  For  historical  reasons  such  graphs  are  called  Kripke  stmcturesfS^n  linear  temporal  logic, 
operators  are  provided  for  describing  events  along  a  single  time  path  (i.e.,  along  a  single  path  in  a  Kripke 
structure).  In  a  branching-time  logic  the  temporal  operators  quantify  over  the  futures  that  arc  possible  from  a 
given  state  (i.e.,  over  the  possible  paths  that  lead  from  a  state).  It  is  well  known  that  the  two  types  of  temporal 
logic  have  different  expressive  powers  Linear  temporal  logic,  for  example,  can  express  certain 

fairness  properties  that  cannot  be  expressed  in  branching-time  temporal  logic.  On  the  other  hand,  certain 
practical  decision  problems  like  model  cAecA:mg'({3}rP^&are  easier  for  branching-time  temporal  logic  than 
for  linear  temporal  logic.  - 

(a  this  papers  provide^urther  insight  on  which  type  of  logic  is  best.  W«-show  that  if  two  finite  Kripke 
structures  can  be  distinguished  by  some  formula  that  contains  both  branching-time  and  linear-time  operators, 
then  the  structures  can  be  distinguished  by  a  formula  that  contains  only  branching  time  operators. 
Specifically,  we  show  that  if  two  finite  Kripke  structures  can  be  distinguished  by  some  formula  of  the  logic 

♦K  — 

CTL  (i.e.,  if  there  is  some  CTL  formula  that  is  true  in  one  but  not  in  the  other),  then  they  can  be 
distinguished  by  some  formula  of  the  logic  CTL.  The  logic  CTL*  ( [3],  |4J)  is  a  very  powerful  temporal  logic 
that  combines  both  branching-time  and  linear-time  operators;  a  path  quantifier,  either  A  ("for  all  paths")  or  E 
("for  some  paths”)  can  prefix  an  assertion  composed  of  arbitrary  combinations  of  the  ususal  linear  time 
operators  G  ("always"),  F  ("sometimes"),  X  ("nexttime"),  and  U  ("until").  CTL  ( [1],  [2])  is  a  restricted  subset 
of  CTL*  that  permits  only  branching-time  opcrators-each  path  quantifier  must  be  immediately  followed  by 
exactly  one  of  the  operators  G,  F,  X,  or  U. 

Our  goal  is  to  show  that  for  any  finite  Kripke  structure  M ,  it  is  possible  to  construct  a  CTL  formula  FM  that 
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uniquely  characterizes  At.  Since  one  Kripke  structure  may  be  a  trivial  unrolling  of  another,  we  use  a  notion  of 
equivalence  between  Kripke  structures  that  is  similar  to  the  notion  of  bisimulation  studied  by  Milner  [12).  We 
say  that  states  5  and  s'  are  equivalent  if  they  have  the  same  labelling  of  atomic  propositions  and  for  each 
transition  from  one  of  the  two  states  to  some  state  /  there  is  a  corresponding  transition  from  the  other  state  to 
a  state  t'  that  is  equivalent  to  t.  Two  Kripke  structures  arc  equivalent  if  their  initial  states  are  equivalent  It  is 
not  difficult  to  prove  that  if  two  Kripke  structures  are  equivalent  then  their  initial  states  must  satisfy  the  same 
CTL*. 

An  obvious  first  attempt  to  construct  FM  is  simply  to  write  a  CTL  formula  that  specifies  the  transition 
relation  of  M.  For  each  state  5  in  M  we  include  in  FM  a  conjunct  of  the  form 

AG(l(s)=»  AEXJL(j,)  a  AX(Vi.(i,))) 

i  i 

where  ^ . s„  are  the  successors  of  s  and  L(t)  is  the  labelling  of  atomic  propositions  associated  with  state  1. 

It  is  easy  to  see,  however,  that  this  simple  approach  cannot  work  in  general:  several  states  in  At  may  have 
exactly  the  same  labelling  of  atomic  propositions. 

Instead,  we  first  show  that  it  is  possible  to  write  a  CTL  formula  that  will  distinguish  between  two  states  in 
the  same  structure  that  are  not  equivalent  according  to  the  above  definition.  Two  inequi valent  states  may  have 
exactly  the  same  labelling  of  atomic  propositions,  they  may  even  have  corresponding  successors,  but  the 
computation  trees  rooted  at  those  states  must  differ  at  some  finite  depth.  The  difference  in  the  computation 
trees  can  be  exploited  to  give  a  CTL  formula  that  distinguishes  between  the  states.  Since  equivalent  states 
satisfy  the  same  CTL*  formulas,  it  follows  that  if  two  states  can  be  distinguished  by  a  CTL*  formula,  they  can 
be  distinguished  by  a  CTL  formula.  Once  we  can  distinguish  between  inequivalent  states  in  the  same 
structure,  we  can  write  a  single  CTL  formula  that  encodes  the  entire  Kripke  structure;  this  formula  is  the  FM 
that  we  seek. 

The  above  construction  requires  the  use  of  the  nexttime  operator  in  specifying  FM.  In  reasoning  about 
concurrent  systems,  however,  the  nexttime  operator  may  be  dangerous,  since  it  refers  to  the  global  next  state 
instead  of  the  local  next  state  within  a  process  [10],  What  happens  if  we  disallow  the  nexttime  operator  in 
CTL  formulas?  The  proof,  in  this  case,  requires  another  notion  of  equivalence- equivalence  with  respect  to 
stuttering.  We  say  that  two  state  sequences  correspond  if  each  can  be  partitioned  into  finite  blocks  of 
identically  labelled  states  such  that  each  state  in  the  r'-th  block,  in  one  sequence  is  equivalent  to  each  state  in 
the  rth  block  of  the  other  sequence.  Thus,  duplicating  some  state  in  a  sequence  any  finite  number  of  times 
will  always  result  in  a  corresponding  sequence.  We  say  that  two  states  are  equivalent  if  for  each  state  sequence 
starting  at  one  there  is  a  corresponding  state  sequence  that  starts  at  the  other.  Under  this  second  notion  of 
equivalence  the  proof  of  the  characterization  theorem  becomes  much  more  complicated,  since  it  is  possible 


3 


I,*  *.t  *_4 


l*iili''l>i  I*  a  I 


for  two  incquivalcnt  suites  to  have  exactly  the  same  finite  behaviors  (modulo  stuttering),  but  different  infinite 
behaviors. 

Equivalence  under  stuttering  turns  out  to  be  quite  useful  for  reasoning  about  hierarchically  constructed 
concurrent  systems.  In  determining  the  correctness  of  such  a  system  by  using  a  technique  like  temporal  logic 
model  checking  ( [2],  [3],  [11],  [13],  [16],  (17)).  it  is  often  desirable  to  replace  a  low  level  module  by  an 
equivalent  structure  with  fewer  states.  Our  results  show  how  this  can  be  done  while  preserving  all  of  those 
properties  that  are  invariant  under  stuttering.  We  give  polynomial  algorithms  both  for  determining  if  two 
structures  are  equivalent  with  respect  to  stuttering  and  for  minimizing  the  number  of  states  in  a  given 
structure  under  this  notion  of  equivalence. 

Finally,  our  results  have  some  interesting  implications  for  the  problem  of  synthesizing  finite  state 
concurrent  systems  from  temporal  logic  specifications  ( [2],  [14]).  In  order  to  guarantee  that  any  Kripke 
structure  can  be  synthesized  from  a  specification  in  linear  temporal  logic,  Wolpcr  [18]  was  forced  to  introduce 
more  complicated  operators  based  on  regular  expressions.  Our  results  show  that  (at  least  in  theory)  no  such 
extension  is  necessary  for  branching-time  temporal  logic.  Any  Kripke  structure  can  be  specified  directly  by  a 
formula  of  branching-time  logic. 

The  expressive  power  of  various  temporal  logics  has  been  discussed  in  several  papers;  see  ( [4],  [9])  for 
example.  Henncssy  and  Milner  [7],  Graf  and  Sifakis  [6],  and  Pnueli  [15]  have  all  discussed  the  relationship 
between  temporal  logic  and  various  notions  of  equivalence  between  models  of  concurrent  programs. 
However,  we  believe  that  we  are  the  first  to  show  that  it  is  possible  to  characterize  Kripke  models  within 
branching-time  logic  and  to  investigate  the  consequences  of  this  result 

Our  paper  is  organized  as  follows;  In  Section  2  we  describe  the  logics  CTL  and  CTL*.  In  Section  3,  we  state 
formally  what  it  means  for  two  states  in  a  Kripke  structure  to  be  equivalent  and  prove  that  equivalent  states 
satisfy  exactly  the  same  CTL  formulas.  Section  3  also  contains  the  first  of  the  two  main  results  of  the  paper: 
we  show  how  to  characterize  Kripke  structures  using  CTL  formulas  with  the  nexttime  operator.  Section  4 
introduces  the  second  notion  of  equivalence  (equivalence  with  respect  to  stuttering)  and  shows  that  if  the 
nexttime  operator  is  disallowed,  then  equivalent  states  again  satisfy  exactly  the  same  CTL*  formulas.  We  also 
extend  the  characterization  theorem  of  Section  3  to  Kripke  structures  with  the  new  notion  of  equivalence.  In 
Section  5  we  give  a  polynomial  algorithm  for  determining  if  two  states  are  equivalent  up  to  stuttering.  The 
paper  concludes  in  Section  6  with  a  discussion  of  some  remaining  open  problems  like  the  possibility  of 
extending  our  results  to  Kripke  structures  with  fairness  constraints  (i.e.,  Biichi  Automata). 
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2.  The  Logics  CTL  and  CTL* 

There  are  two  types  of  formulas  in  CTL  :  state  formulas  (which  .ire  true  in  j  specific  sutc)  .ind  path 
formulas  (which  arc  true  along  a  specific  path),  l  et  I P  he  the  set  of  atomic  proposition  names  A  state 
formula  is  either: 

•  A,  if  AeAP. 

•  If  /  and  g  are  state  formulas,  then  -> /  and  fvg  are  sutc  formulas. 

•  If  /  is  a  path  formula,  then  E (/)  is  a  state  formula. 

A  path  formula  is  either: 

•  A  state  formula. 

•  If  /  and  g  are  path  formulas,  then  ->/  /vg  X  '  .ind  >  l  ,  m  ;  c.  muus 


CTL*  is  the  set  of  state  formulas  generated  by  the  abov  e  rules 


CTL  is  a  subset  of  CTL*  in  which  we  restrict  the  path  tormulas  u>  tie 

•  If/  and  g  are  state  formulas,  then  X  find  ft  g  are  path  formulas 

•  If  /  is  a  path  formula,  then  so  is  ->/ 

We  define  the  semantics  of  both  logics  with  respect  to  a  structure  M  -  <.S,  R.  L>,  where 

•  S  is  a  set  of  states. 

•  /?CSxS  is  the  transition  relation,  which  must  be  total.  We  wnte  5,  — ►  s,  to  indicate  that  )  €  R. 

•  L:  S—tViAP)  is  the  proposition  labeling. 

Unless  otherwise  stated,  all  of  our  results  apply  only  to  finite  Kripke  structures. 

We  only  consider  transition  relations  where  every  state  is  reachable  from  the  iniual  state.  We  define  a  path 
in  M  to  be  a  sequence  of  states,  v  =  . . .  such  that  for  every  i>  0,  sj—*si+l.  ir‘  will  denote  the  suffix  of  w 

starting  at  s,. 

We  use  the  standard  notation  to  indicate  that  a  state  formula  /  holds  in  a  structure:  M,s\=f  means  that  / 
holds  at  state  s  in  structure  M.  Similarly,  if  /  is  a  path  formula,  A/,w  N / means  that  /  holds  along  path  n  in 
structure  M.  The  relation  N  is  defined  inductively  as  follows  (assuming  that  /  and  /  are  state  formulas  and 
g  i  and  g  2  arc  path  formulas): 

1. s^A  cs  AiL(s). 

2. sN*-i/  ~  shfe/. 

3.  sN*/y/  «  sN*/orrl=/. 
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4.  s^EXgj)  «=*  there  exists  a  path  it  starting  with  s such  that  it  \=  g,. 

5.  irN/  <=»  s  is  the  first  state  of  it  and  jN=/. 

6 •  *  ®  n  gv 

7. ®t=  g)Vg2  »  v  N  g,  or  it  h=  g2. 

8.  it  N=  Xgt  »  it1  1=  g[. 

9.  *rk=g,Ugz  «=>  there  exists  a  k > 0  such  that  irkt=g2  and  for  all  0<j<  k,  ir'Ng,. 

We  will  also  use  the  following  abbreviations  in  writing  CTL  (and  CTI.)  formulas: 

•  /Ag  =  — 1  ( — 1 yV  — i g)  •¥/  =  true  U/ 

•  A(/)  =  -'E(~'/)  •  Gf  = 


3.  Equivalence  of  Kripke  Structures 

Given  two  structures  A/  and  M'  with  the  same  set  of  atomic  propositions  AP,  we  define  a  sequence  of 
equivalence  relations  E0.Elt ...  on  SxS'  as  follows: 

•  sEqS'  if  and  only  if  L(s)= L(s' ). 

•  sEn+1s'  if  and  only  if 

ol(s)=l(s/ ). 

o  VsJj— -*s{  ASj/^^fl.and 
O  Vi{[s/  Sj  =>  3s,(j-+  SjASj  En sJJJ. 

Now,  we  define  our  notion  of  equivalence  between  states:  sEs'  if  and  only  if  sEts'  for  all  />  0. 
Furthermore,  we  say  that  M  with  initial  state  %  is  equivalent  to  M'  with  initial  state  s£  iff  ^ZTsJ. 

Lemma  l:  Let  sE  s',  then  for  every  path,  j.s,, . . . ,  there  exists  a  path,  s'.Sj _ such  that 


Proof:  Note  first  that  En+l  C En.  Since  £0  is  finite,  there  must  be  a  k  such  that  Ek  +  l  =  Ek  =  E.  Thus, 
we  can  substitute  E  for  Ek  in  the  definition  of  Ek+l  giving  s  Es'  if  and  only  if 

*L(s)  =  L(s'), 

•  Vsjs-*  j,=»  3^(s'  -►  s[  ASjfT^fl.and 


6 


Theorem  2:  If s/:V.  then  V/e  CTL *[5 !=/<=>  s'  h=  /]. 

This  theorem  is  a  consequence  of  the  following  lemma: 

Lemma  3:  Let  h  be  either  a  state  formula  or  a  path  formula.  Let  v  =  s,sv ...  be  a  path  in  A/  and 

w'  =  s',s{ _ be  a  path  in  M'  such  that  sE  s'  and  Vi  [s(£'s'].  Then 

5  N  h  »  s'  f=  h,  if  h  is  a  state  formula  and 
7T  N  /i  «=>  ir 7  N  /i,  if  /t  is  a  path  formula. 

Proof:  We  prov  j  the  theorem  by  induction  on  the  structure  of  h. 

Base:  h  =  A.  By  the  definition  of  E,  st=  A  <=>  s'  N=  A. 

Induction:  There  are  several  cases. 

1.  h-  — i/ix,  a  state  formula. 

<=>  s'  hx  (induction  hypothesis) 

<=»  s'  >=  h 

The  same  reasoning  holds  if  h  is  a  path  formula. 

l-h-h^W^a.  state  formula. 

Without  loss  of  generality, 

sl=  A«=>  iN  kx  or  sl= 

=»  iN  \ 

<=>  s'  1=  h:  (induction  hypothesis) 

=»s'N=A 

The  argument  is  the  same  in  the  other  direction.  We  can  also  use  this  argument  if  h  is  a  path 
formula. 

3.  h=E(hl),  a  state  formula. 

Suppose  that  sN  h.  Then  there  is  a  path,  w.  starting  with  5  such  that  nl  1=  h{.  By  Lemma  1,  there 
is  a  corresponding  path  in  M'  starting  with  5'.  So  by  the  induction  hypothesis,  WjN/ij 
<=>ir(  1=  hv  Therefore,  sNE(/i,)  =»  s'  NE(/i,).  We  can  use  the  same  argument  in  the  other 
direction,  so  the  lemma  holds. 


4.  A= Aj,  where  A  is  a  path  formula  and  A,  is  a  state  formula. 

Although  die  lengths  of  A  and  Aj  arc  the  same,  we  can  imagine  that  A  =  path(A,),  where  path  is  an 
operator  which  converts  a  state  formula  into  a  path  formula.  Therefore,  we  arc  simplifying  A  by 
dropping  this  path  operator.  So  now: 
v) “A  «=>sNAj 

<=»  s'  N  Aj  (induction  hypothesis) 

=»j't=A. 

The  reverse  direction  is  similar. 

5.  A=X  Aj,  a  path  formula. 

By  the  definition  of  the  next-time  operator,  w1 1=  At.  Since  w  and  ir'  correspond,  so  do  w1  and 
ir'\ Therefore,  by  the  inductive  hypothesis,  v‘ 1  N=  hx  so  w'  t=  A. 

We  can  use  the  same  argument  in  the  other  direction. 

6.  h^h^U  Aj,  a  path  formula. 

Suppose  that  v  N=  A[U  hv  By  the  definition  of  the  until  operator,  there  is  a  A  such  that  irk  N  \ 
and  for  all  0  <y  <  k ,  77Jt=  A,.  Since  it  and  it’  correspond,  so  do  it1  and  w';  for  any  j.  Therefore,  by 
the  inductive  hypothesis,  w' k  N  A^  and  w/;N=  Aj  for  all  0  <j<  k.  Therefore  v'  1=  A. 

We  can  use  the  same  argument  in  the  other  direction.  □ 

Another  property  of  two  equivalent  states  is  that  they  both  have  corresponding  computation  trees.  For 
every  szS,  Tr „(s)  is  the  computation  tree  of  depth  n  rooted  at  s.  Formally,  Tr0(s)  consists  of  a  single  node 
which  has  the  same  label  as  s.  Trn+1(s)  has  as  its  root  a  node  m  with  the  same  label  as  s.  If  s  has  successors 
sl . ip  in  the  Kripke  structure,  then  node  m  will  have  subtrees  Trn(jj ) . Tr„(jp). 

Two  trees  Tr^s)  and  Tr„(s')  correspond  (denoted  Tr„(s)  =  Tr^s'))  if  and  only  if  both  of  their  roots  have 
the  same  label  and  for  every  subtree  of  depth  n—1  of  the  root  of  one,  it  is  possible  to  find  a  corresponding 
subtree  of  the  root  of  the  other. 

Lemma  4:  sEns'  if  and  only  if  Tr;(s)  =  Trj(s')  for  all  j<  n. 
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Lemma  5:  Given  a  finite  set  of  states  s, . s„  there  exists  a  c  such  dial  if  two  states  y,  and  s}  arc  not 

^'-equivalent  then  Trf(y,)  and  Trc(sy)  will  not  correspond. 

We  will  call  the  value  of  c  for  S  the  characteristic  number  of  the  structure. 

We  associate  a  Cl'L  formula  with  a  tree  Tr„(s)  as  follows: 

•  •J[Tr0(s)]  =  (PiA  . . .  Apu)  A  (-19, A  . . .  where  L(s)={j>v . />u}and  AP-L(s)={qx . <?v}. 

•  ^Trfl+1(,)1=(AEX  fflTr^l)  A  AX(  V^Tr^j,)])  A  ‘J(Tr0(y)].  where  s,  is  a  successor  of  s. 

Lemma  6:  sN^(Tr^s)]  for  all  n  >  0. 

Lemma  7:  I  f  j  h=  <?[ Tr„(y' )  ].  then  Tr^y )  =  Tr^s' ). 

Proof:  The  proof  is  by  induction  on  n.  The  basis  case  is  trivial.  Thus,  we  assume  that  n  >  0.  Let  s^s, . sp 

be  the  sons  of  s  inTr^s)  and  sf.y^ . be  the  sons  of  s'  in  Tr^y')- 

It  is  easy  to  see  that  sand  s'  have  the  same  labelling  of  atomic  propositions. 

We  must  show  that  Tr„_j(s^  corresponds  to  some  Tr rt_,(sy).  Since  sh=«F[Tr(I(s,)l, 
sl=AX(Vg:[Tr„_1(s;)l).  Since  is  a  successor  of  y,  s^K^Tr,.,^)!  for  some  j0.  Hence. 
Tr„-x(^)  =  Tr,.^)  by  our  inductive  hypothesis. 

Finally,  we  must  show  that  Tr„_ ,0^)  corresponds  to  some  Tr„_ ,(*,).  Since  s  N=5|Tr^s')), 
s*=  AEX^lTrn.^)].  Since  ^  is  a  successor  of  s',  iNEX^Tr,.^)].  Therefore,  there  exists  an  ^  such 
thats^N»<J(Tr„_1(y'})].  Hence,  Tr^'r^sTr,,.^)  by  our  inductive  hypothesis.  □ 

Lemma  8:  If  s  is  a  state  in  a  Kripke  structure  M,  then  there  is  a  CTL  formula,  C(  \f,s)  that  determines  s  up 
to  E-equivalence  within  M,  i.e.  C(A/,y)  is  true  in  y  and  every  state  in  M  that  is  E-equivalent  to  s  but  false  in 
every  state  in  M  that  is  not  equivalent  to  j. 

Proof:  We  choose  C(A/.y)=*f[Trf(y)]  where  c  is  the  characteristic  number  of  M.  C(A/,y)  is  true  in  y  and 
hence  in  all  states  E-equivalent  to  s.  Let  s'  be  a  state  that  is  not  E-equivalent  to  s;  then  Trc(s)  ^Trc(s'). 
Hence,  by  lemma  7,  s'  b*  C (Afs).  □ 

Theorem  9:  Given  a  Kripke  structure  M  with  initial  state  ^  there  is  a  CTL  formula  FiM.sJ  that 
characterizes  that  structure  up  to  E-equivalence,  i.e.  A/',y£  N  FfM.s,)  <=»  %Es£. 


9 


Proof:  For  any  state  r  in  A/,  let  r, . sp  be  the  successors  of  s.  We  define 

G(M,s)  =  AG(C (M,s)=>  A  EX  C(A/,s,)  A  AXVC(A/.j,)) 

i  i 

G(M,s)  describes  all  of  the  possible  transitions  from  s.  FiAf.sJ  is  the  formula  CfA/,^)  A  AG(\/,s).  If  two 

S 

structures  M,Sq  and  M'  yo  are  equivalent  then  by  theorem  2  they  satisfy  the  same  formulas.  Since 
Af,$,  1=  F(A/,.%),  so  does  M'  ,s£ . 

For  the  other  direction  we  show  by  induction  on  n  that  if  M'  J0  N  F(A/,.%)  then  Tr„(£,)  =  Tr„(.^)  for  all 
n>  0.  By  lemma  4,  the  two  structures  are  then  F-equi  valent.  □ 

Corollary  10:  Given  two  structures  M  and  A/'  with  initial  states  ^  and  s£  respectively,  s^Es^  if  and  only  if 

V/€ CTI*[M,% M/»  M' y0  N/]. 

Corollary  11:  Given  two  structures  M  and  M’  with  initial  states  and  respectively,  if  there  is  a  formula 
of  CTL  that  is  true  in  one  and  false  in  the  other,  then  there  is  also  a  formula  of  CTL  that  is  true  in  the  one 
and  false  in  the  other. 

We  illustrate  our  method  of  characterizing  Kripke  structures  with  the  example  in  figure  3*1. 


* 
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Figure  3-1:  A  Kripke  structure  in  which  every  other  state  is  labelled  A 

The  characteristic  number  of  this  structure  is  1,  since  Tr0(^)^Tr0(Sj),  Tr0(s,)^Tr0(Sj),  and  Tr/r^^Tr/s,). 

Let 

•  C(M,s0)=a  A  -*b  A  EX(a  A  ~>b )  A  EX(*ia  A  b)  A  AX(a  A  -<b  v  -<a  A  b) 

•  C(A/,Sj)=a  A  -ib  A  EX(a  A  ->6)  A  AX(a  A  -ib) 


•  CiM,^  )=iaAiA  EX(a  A  -'6)  A  AX(u  A-<b) 

We  can  now  state  the  formula  that  characterizes  this  structure: 
l\Ms0)  =  C (A/.*)  A 

AG(C(A/,^)=>  EXC(A/,s,)  A  EXC(A/,s2)  A  AX(C( A/,5,)  v  C (M,s2)))  A 
\G(C(\f,sl)=>EXC(Af,s0)  A  \XC(M,sJ)  A 
AGfCfA/.Sj)  =»  EXC(A/,^)  A  AXC(A/,%)) 

4.  Equivalence  With  Respect  To  Stuttering 

We  first  define  what  it  means  for  two  Kripkc  structures  to  be -equivalent  with  respect  to  stuttering.  Given 
two  structures  M  and  A/'  with  the  same  set  of  atomic  propositions,  we  define  a  sequence  of  equivalence 
relations  E0,EV...  on  SxS'  as  follows: 

•  s£0s'  if  and  only  if  L(s)=JL(s/ ). 

•  sEn+1  s'  if  and  only  if 

1.  for  every  path  v  in  A/  that  starts  in  s  there  is  a  path  it'  in  M'  that  starts  in  s',  a  partition 
BXB1 ...  of  it,  and  a  partition  B[B[  .. .  of  w '  such  that  for  all  ye  IN,  Bj  and  B'  are  both 
non-empty  and  finite,  and  every  state  in  Bj  is  En -related  to  every  state  in  B'j,  and 

2.  for  every  path  v '  in  A/'  starting  in  s'  there  is  a  path  v  in  M  starting  in  s  that  satisfies  the 
same  condition  as  in  1. 

Our  notion  of  equivalence  with  respect  to  stuttering  is  defined  as  follows:  sEs'  if  and  only  if  s if,  s'  for  all 
H 0.  Furthermore,  we  say  that  M  with  initial  state  %  is  equivalent  to  M'  with  initial  state  s£  if  %ifs£. 

Lemma  12:  Given  two  Kripke  structures  M and  A/',  there  exists  an  / such  that  VsV s'  [sif/s'  iff  s£V]. 

Proof:  By  the  definition  of  */+i.  s£/+1s'  =»sEts',  so  £0D  EX~DE7 _  Since  A/  and  A/'  are  both 

finite,  E0  must  be  finite  as  well,  so  only  a  finite  number  of  these  containments  can  be  proper.  Let  Et  be  the 
last  relation  that  is  properly  included  in  .  By  the  definition  of  proper  containment,  Vm  >  I  [  Et  =  Em\  so 
sEts'  =» sEms',  for  m>l.  Since  s£/s' =» s£/_js' =» s£’/_2s' . . . ,  we  have  s£/s'  =»  Vw[s£ms'J,  so 
s£/s'  =»  s£s'.  The  other  direction  is  trivial.  □ 

Theorem  13:  If  s£s',  then  for  every  CTL*  formula  /  without  the  nexttime  operator,  sN/iff  s'  M /. 

The  proof  is  similar  to  that  of  theorem  2. 

Lemma  14:  Given  a  Kripke  structure  A/,  for  every  state  s€  Af,  there  is  a  CTL  formula  C(ALs)  such  that 
V/e  A/[/k“C(A/,s)  iffs£/J. 


Proof:  We  will  prove  by  induction  on  /: 

•  If  -’(sTi//),  then  there  is  a  CTL  formula  dt(s,t )  such  that  Vv€ \I[sEiv=>  vt=  dfis.t)]  and 
tW*d(s,l). 

•  For  every  state  s 6  A/,  there  is  a  CTL  formula  Ct(M.s)  such  that  for  every  uM,  /l=C,(W,j)  iff 
sEtt. 

d[{s,t)  is  a  formula  that  distinguishes  between  i  and  states  equivalent  to  s  within  the  structure  M,  and 
is  a  formula  that  characterizes  ^-equivalence  to  state  s  within  A/. 


If  we  let  C be  a  conjunction  of  (A/, 5)  and  d[(s,t)  for  every  1  that  is  not  £) -related  to  s,  the  second 
assertion  follows  easily.  By  lemma  12,  this  condition  implies  that  the  lemma  is  true.  Now  it  is  necessary  to 
show  how  to  construct  di(s,l)  by  induction  on  /. 

Basis  (1=0):  Let  {/>,}  be  the  set  of  atomic  propositions  in  L(s)  and  {<?,}  be  the  set  of  atomic  propositions  in 
AP-L(s).  Now,  let 

C0  ( M,s) =da(s,t)=ApiAA-yqj 

i  j 

It  is  clear  that  this  formula  is  only  true  in  states  with  the  same  labelling  of  atomic  propositions  as  s.  Therefore, 
the  base  case  is  established. 

Induction:  Assume  that  the  result  is  true  for  /.  We  will  show  it  for  /+ 1. 

Since  -i(sE[+lt),  either  there  is  a  path  from  s  without  a  corresponding  path  from  t,  or  vice  versa.  In  the 
latter  case,  we  will  use  the  argument  below  to  find  a  d[+l(t,s)  such  that  tt=d!+l(i,s)  and  s&=  dlJrl(i,s).  We 
can  negate  this  formula  to  get  the  desired  d!+l(s,t). 

If  there  is  a  path  from  s  without  a  corresponding  path  from  t,  we  can  divide  this  path  into  blocks  (B^B 2 . . . ) 
such  that: 

V/  [x  €  B,  =  x  N  C/fA/.firstf  5,))  and  firstf  Bi+ ;)  t#  (^(Af  firstffl,-))]. 

Now,  there  are  two  cases:  either  there  is  a  finite  path  from  one  state  without  a  corresponding  path  from  the 
other,  or  there  is  an  infinite  path  without  a  corresponding  path,  but  every  finite  prefix  of  this  path  has  a 
corresponding  path. 


In  the  first  case,  the  path  from  s  is  finite,  so  the  blocks  are  finite  and  there  are  only  a  finite  number  of  them 
(say  n).  Consider  the  CTL  formula: 

d!+  [ (s,t ) = (^(A/.firstf#! )) A  E[C/(A/,first( Bx ))  U  C^Affirstf^))  A  E( . . .  U  C^Af.firetf^))] . . .  ] 

It  is  dear  that  si®5  dl+l(s,t)  along  the  path  B jfl2 ...  Bn.  However,  if  /N(//+1(j,t)  then  there  is  a  path  that  can 
be  partitioned  into  blocks  B[B[...  B'n  such  that  V/(v€  B\  =>  vN  C/(A/.first(  /?,))].  Since  every  state  in  S, 


satisfies  C/(  A/,  first! /?,)),  the  inductive  hypothesis  and  the  definition  of  F.j  gives  /?,•/-//?'.  Therefore,  this  path 
from  /  corresponds  to  the  path  from  s.  a  contradiction.  We  conclude  that  l^d!+l(s.i ). 

In  the  second  ease,  we  start  by  showing  that  the  path  from  s  has  only  a  finite  number  of  blocks  by  using  an 
argument  based  on  Konig’s  lemma.  We  can  construct  a  tree  rooted  at  /  such  that  til . . .  /„  is  a  path  through 
the  tree  if  and  only  if  there  is  a  path  in  the  Kripke  structure  tu{. . .  upt,  vt . . .  vq/2 . . .  in  that  corresponds  to  a 
prefix  of  the  path  from  s  with  B\  =<iu} . . .  up>,  B[  =<t}v2 . . .  v^>,  and  so  on.  Now,  if  the  path  from  s  has  an 
infinite  number  of  blocks,  this  tree  must  have  an  infinite  number  of  nodes.  Otherwise,  if  the  tree  had  n  nodes, 
there  could  be  no  path  of  length  /j-H,  so  the  first  n  + 1  blocks  of  the  path  from  s  would  have  no 
corresponding  path  from  i.  Since  the  Kripke  structure  is  finite,  we  also  know  that  this  tree  must  be  finitely 
branching.  Therefore,  by  Konig’s  lemma,  there  must  be  an  infinite  path  through  the  tree.  But  this  implies 
that  there  is  an  infinite  path  from  t  that  can  be  divided  into  an  infinite  number  of  blocks  that  correspond  to 
the  blocks  of  the  path  from  s.  so  there  is  a  path  from  /  corresponding  to  the  path  from  s,  violating  our 
assumption.  Therefore,  the  path  from  s  has  only  a  finite  number  of  blocks. 

So,  suppose  that  there  are  n  blocks,  all  of  which  are  finite  except  the  last.  Consider  the  CTL  formula: 

4+ 1  (s,/ ) = C/(A/,first(5j ))  A  E[C/(A/.first(.fl1 ))  U  C/(A/,first(.S2))  A  E( ...  U  EG  C,(A/;first(5,,))] . . .  ] 

It  is  clear  that  sk=  4+  i(s,r)  along  the  path  B}B2 . ..  B„.  However,  if  '*=4+  ,(j,/)  then  there  is  a  path  that  can 
be  partitioned  into  blocks  B[B\  ...  B'n  such  that  all  of  the  blocks  are  finite  except  B'n  and 
V/[v€  B't  =»  vNC^A/, first( /?,))].  Since  every  state  in  ^satisfies  C^A/.first!/?, )),  the  inductive  hypothesis  and 
the  definition  of  gives  BlElB\.  We  can  also  divide  the  infinite  blocks  Bn  and  B'n  into  an  infinite  set  of 
blocks  containing  one  state  each.  Therefore,  this  path  from  t  corresponds  to  the  path  from  s,  so  we  have  a 
contradiction.  We  conclude  that  rh*  dl+1(s,t)- 

Now,  these  4+  describe  the  existence  or  nonexistence  of  a  single  path  along  which  some  formulas 
hold.  By  the  definition  of  sEt+lv ,  every  path  from  shas  a  corresponding  path  from  v  along  which  the  same  0,/ 
formulas  hold  and  vice  versa.  Therefore,  sE1+  jV=>vt=  dI+1(s,t). 

Therefore,  the  lemma  is  true.  □ 

Theorem  15:  Given  a  Kripke  structure  M  with  initial  state  there  is  a  CTL  formula  F(M,s„)  that 
characterizes  that  structure  up  to  ^-equivalence  with  respect  to  stuttering,  i.e.  A/',s£  N=  FiM.s^)  »  sTlEs'n. 

Proof:  For  any  state  s  in  M,  let  jj . sp  be  the  extended  successors  of  s,  where  an  extended  successor  is  a 

state  that  is  not  E-related  to  s  and  is  reachable  from  s  along  a  path  consisting  entirely  of  states  that  are 
f-equivalcnt  to  s.  Next,  we  construct  G(Af,j),  which  describes  all  of  the  transitions  from  s  in  A/.  In  this 
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construction,  it  is  convenient  to  use  the  •  wok  until  operator,  A[/WgJ=  ->K[-«gl!-'/ A  ->g),  which  differs  from 
the  ordinary  until  in  that  it  permits  an  infinite  path  along  which  every  state  satisfies  the  first  argument.  So 


( AF[C(A/.i)  U  C( A/.s, ) )  A  \(C(A/,j)  W  VC(A/,s,)]  A  KG  C(A/,i)  if  iN  KG  C(A/,s) 

G(M.s)  =  <  *  ' 

y  AV{C(M.s)  U  CfA/.s,))  A  \(C(  V/,i)  \V’VC( A/.s,)]  a  ->EG  C(A(,s)  otherwise 

/  / 

Let  FiM.Sy)  be  the  formula  C(A/,.%)  A  AaG  (C(A/,j)»»  G(M.s)). 


The  correctness  of  F{M, % )  is  an  cas>  consequence  of  the  next  two  lemmas  and  theorem  13.  □ 

Lemma  16:  jH  F(M,s). 

Lemma  17:  If  sH  F(M,t)  and  s'  h*  F(M,t),  then  $£V. 

Proof  of  Lemma  16:  Since  every  state  is  trivially  equivalent  to  itself.  sK=C(A/,s)  is  true  by  lemma  14. 
Therefore,  if  sb*F(A/,s)  then  there  is  a  uM  such  that  sh» EF(C(A/,r)A-'G(A/,/)).  Let  v  be  the  state 
reachable  from  j  that  satisfies  C(A/,r ) A  — iC( A/,/ ).  By  lemma  14,  this  condition  implies  tEv,  so  t  and  v  must 
satisfy  the  same  CTL  formulas  (theorem  13).  We  will  show  that  /b*  ->G(M.t),  giving  a  contradiction.  There 
are  four  cases. 

1.  /M*E(C(A/,/)U  C(A/,iv)],  for  some  extended  successor  of  /,  w.  By  the  definition  of  extended 
successor,  there  is  a  path  from  t  to  w  and  the  states  on  this  path  are  ^-related  to  t.  By  lemma  14. 
these  states  must  satisfy  C (M,t).  Since  wN  C(A/,w)  is  trivial,  this  path  satisfies  C(A/,t)  U  CfA/.w), 
which  is  a  contradiction. 

2.  EG  C(A/,/).  Since  EG  C (M.t)  is  a  conjunct  of  G(M,t )  if  and  only  if  rb*  EG  C(.A /./).  we  have 
an  immediate  contradiction. 

3.  /M*  ->EG  C(A/,r).  Since  EG  ->C(A/.r)  is  a  conjunct  of  G(M,t)  if  and  only  if  rb*  EG  C(M.t).  we 
have  an  immediate  contradiction. 

4.  /  b*  A[C(Af,/)  W  VC(A/.w,)].  In  this  case,  t  N  E[C(A/,/)  U(-C(A/,;)A  A  -C(A/,w,))].  Let  it....  t„ 

i  i 

be  thispath,  where  -'C(Af,/)  A  A->C(A/,Wi)  and  V/< rr  (r, N* C(A/,r )J.  By  lemma  14. 

->(/„£7)and  V/</i[r(£7).  Therefore,  l„  is  an  extended  successor  of  i.  But  since  /„  N  C(A/,t„)  is 

trivially  true,  t.  N=  A  — «C(A/.  w.)  cannot  be  true,  so  we  have  a  contradiction. 

t 

Therefore,  the  lemma  is  true.  □ 


I 


Proof  of  Lemma  17:  Since  sFs '  if  and  only  if  sl^s'  for  all  l>  0,  we  will  prove  sN  F(M,t)  and 
5'  M  F(M,t)  implies  sEts'  by  induction  on  /. 

Basis  (f=0):  Since  jN  st=  C(il/,t)  and  therefore  st=C0(A/,r).  Similarly,  s'  \=  C0(M,t),  so 

l(s)=jL(<)=i-(s/).  Therefore,  sE0 s'. 

Induction:  Assume  that  the  result  is  true  for  /.  We  will  now  show  it  for  /+ 1. 

We  want  to  show  that  every  path,  it,  from  s  has  a  corresponding  path,  n'  from  s'.  (The  proof  of  the  dual  is 
identical.)  We  will  use  induction  on  the  length  of  ir  to  prove  the  slightly  stronger  result: 

If  \it\<n,  then  there  is  a  corresponding  path  it '  such  that  for  some  ve  M, 
iast(ir)!**  F(M,v)  and  lastfw ')  N  F(M,v). 

&ms(|w|  =  l):  '.i  this  case,  w  =  <s>.  Let  Bl=<s>  and  it  '  =  B\  -<s'  >.  By  the  outer  inductive  hypothesis, 
iK  F(M,t)  and  s'  1“  F(M,t)  imply  sEts',  so  Bl  E/B[.  Therefore,  the  paths  correspond.  Since  the  last  states 
of  each  path  satisfy  F(M,t),  the  base  case  is  hue. 

Induction :  Assume  the  result  for  |ir  |  <n.  Suppose  that  it  =ss2s2 . . .  sm  a  path  of  length  n+ 1.  Now, 
JSjSj . . .  is  a  path  of  length  n,  so  by  the  inner  inductive  hypothesis,  there  is  a  corresponding  path  v'  such 
that  lastfir'JMfXA/.v)  and  N=  F(M,v)  for  some  v€  M.  Let  B1B2 ...  Bm  and  B[B[...B'm  be  the 
partitions  that  show  that  these  paths  correspond.  There  are  three  cases. 

1.  s„fe*C(A/,v).  Since  Jn-jh*  F(M,v),  we  can  infer  that  A[C(A/,v)  WVC(A/,tv,)],  where  w,  are  the 

/ 

extended  successors  of  v.  Since  s„.1s„  is  a  path  and  s„  that  doesn’t  satisfy  C(A/,v),  we  conclude  that  there  must 
be  an  extended  successor  of  v,  x,  such  that  Since  sn  is  a  successor  of  sn-l,  it  must  satisfy  all  of 

the  AG  formulas  that  sn_,  satisfies,  so  s„  N*  F(M,x). 

From  lastfir')  N*  F(M,v)  we  can  infer  that  !ast(w/)  N  C(A/,v)AE[C(A/,v)  U  C( A/, jc )J.  Therefore,  there  is  a 
path  s{s'2  . . .  s'k  where  s{  =  lastf-w'),  Vi<  k  (s'  N*  C(Af,v)j,  and  s'k  N=  C(A/,jr).  Now  let  w  =  £, . . .  Bm<sn>  and 
v'  =  B[  . . .  B'm^<B'm,F2  ...  s^_1Xs/k>.  Since  s„  and  s'k  both  satisfy  F(M,x),  the  outer  induction 
hypothesis  gives  <sn>El<s'k>.  Similarly,  since  the  all  the  states  in  B^B^,  and  <s^  . . .  s*_,>  satisfy  F(M.v), 
they  are  all  E{  related  to  each  other.  Therefore,  ir  and  ir'  correspond  with  last(w)NF(A/,.x)  and 
lastfw'^fXAf.jr). 

2.  s„y=*C(M,v)  and  vKEGC(A/,v).  Since  sn  must  satisfy  the  same  AG  formulas  as  sn_1(  s„ N=  F(M.v). 
Now,  last (ir')l—  F(M,v),  so  lastlw')  1=  EGC(A/,v).  Therefore,  lastfw')  must  have  a  successor,  s(,  which  also 
satisfies  C (M.v).  Since  this  state  must  also  satisfy  all  of  the  AG  formulas,  s[  N=  F(hf.v).  Therefore,  by  the 
outer  induction  hypothesis,  snEts[.  So  if  we  let  Bm+l=<s„>  and  B'm+l  =<$(>,  the  paths  correspond. 


3.  s„NC(A/,v)  and  EG  C(A/,i>).  By  the  reasoning  above,  s„h=  /'(Af.v),  so  splash B'm).  Therefore.  it 
corresponds  to  it'  with  Uic  same  partition  except  tliat  s„  is  added  to 

We  must  also  show  that  the  blocks  of  the  partitions  are  finite.  The  only  problem  is  ease  3,  in  which  we 
might  add  an  infinite  number  of  states  to  a  block  of  it.  In  this  ease,  each  of  the  states  added  to  Bm  satisfy 
F{M.v),  so  if  we  add  an  infinite  number  of  states  to  this  block  first(5m)  1=  EGC(A/,v)  must  be  true.  But  since 
first(^m)klss  F(M.v),  first(#m)  N  ->EGC(A/,v),  so  we  have  a  contradiction.  Therefore,  all  of  the  blocks  of  the 
partition  must  be  finite. 

Therefore,  the  lemma  is  true.  □ 

Corollary  18:  Given  two  structures  A/ and  A/7  with  initial  states  s^  and  s£  respectively,  s^Es^  if  and  only  if 
for  all  CTL*  formulas /without  the  nexttime  operator,  M.%  !=/<=>  A f  yo  N /. 

Corollary  19:  Given  two  structures  A/  and  A/'  with  initial  states  ^  and  s'Q  respectively,  if  there  is  a  formula 
of  CTL*  without  the  nexttime  operator  that  is  true  in  one  and  false  in  the  other,  then  there  is  also  a  formula  of 
CTL  without  the  nexttime  operator  that  is  true  in  the  one  and  false  in  the  other. 

5.  Algorithm  For  Stuttering  Equivalence 

In  this  Section  we  show  how  to  compute  the  relation  for  equivalence  with  respect  to  stuttering  for  states 
within  a  single  Kripke  Structure  M.  The  method  that  we  suggest  is  polynomial  in  the  number  of  states  of  M. 
To  determine  equivalence  between  states  in  two  different  Kripke  structures  A/,  and  M2,  we  form  a  Kripke 
structure  Mu  that  is  the  disjoint  union  of  these  structures  and  check  equivalence  between  the  corresponding 
states  in  the  combined  structure. 

We  construct  a  relation  C  on  SxS  that  is  identical  to  the  relation  E  defined  in  Section  4.  C=(lCn  where 

n 

C„  is  defined  as  follows: 

•  C0=  {(s,s')|l(s)=JL(s')} 

•  In  order  to  define  C„+l  we  must  first  define  the  set  NEXTn+  ,(s)  of  extended  successors  of  s.  We 

define  this  set  in  terms  of  the  set  STn+1(s)  of  stuttering  states  of  s.  ST„+1(s)  =  UST*+1(s) 
where,  * 

oSn+1(s)  =  {5} 

O  ST*:i(5)  =  ST*+1(s)U  {s'  I  s'  €ST*  +  1(S)  A  3s"  €ST*+1(s)[s"  -  s']  A  s'  C„s} 
NEXT„+1(s)  =  {s'  |s'  €ST„+1(s)a3s"  eST^sX*"  -+s'}}. 

We  will  also  use  a  predicate  I.OOPn(s)  that  is  true  iff  there  is  a  cycle  containing  only  states  in 
STM 


Now  we  can  define  Cn+ ,  as  follows: 

Cn+l  =  {<«' )  I  LOOPn+  ,(s)=LOOI>n+1(^  )  A  scms‘  A 

Vs,  €  NFXT„+,(s)3s{  e NEXTn+1(s'  )[s,  C^)  A 
\/s[  €NEXT„+1(s/  )3s,€NEXTfl+1(s)[s,Cfl^] 

Proof  that  the  relation  C  constructed  above  is  actually  equal  to  the  relation  E  defined  in  Section  4  will  be 
given  in  the  journal  version  of  this  paper.  Since  the  inductive  structures  of  the  definitions  of  the  two  relations 
are  different,  it  is  necessary  to  split  the  proof  into  two  parts:  the  first  part  shows  that  ECC,  for  every  i;  the 
second  part  shows  that  C  C  E,  for  every  i. 

Computing  ST„  requires  time  0(|S|2).  Computing  C„+1  given  Cn  requires  time  0(|E|4),  since  at  most  |Sj2 
pairs  of  states  must  be  checked  and  each  pair  requires  0(|Sj2)  time  to  check.  The  algorithm  terminates  as  soon 
as  Cn  =  Cn+1.  Since  at  any  previous  step  k,  |Q+1|  <  |C*|  and  since  C0  has  at  most  |S|2  pairs  of  states,  there 
are  at  most  |Sj2  steps  in  the  construction  of  C.  It  follows  that  the  complexity  of  the  entire  algorithm  is  0(|.Sj6). 

If  we  replace  each  equivalence  class  of  C  by  a  single  state,  this  algorithm  can  also  be  used  to  minimize  the 
number  of  states  in  the  structure. 

6.  Conclusion 

The  results  of  our  paper  have  a  number  of  surprising  implications.  For  example,  if  a  specification  of  a  finite 
state  concurrent  program  in  CTL*  is  sufficiently  detailed  so  that  there  is  only  one  program  (modulo  one  of 
our  notions  of  equivalence)  that  meets  the  specification,  then  an  equivalent  specification  could  have  been 
written  in  CTL  instead.  Another  surprising  consequence  is  that  if  a  CTL*  formula  is  not  equivalent  to  any 
CTL  formula,  then  it  must  have  an  infinite  number  of  mutually  inequivalent  finite  models.  To  see  that  this 
result  is  true,  we  first  observe  that  since  CTL*  has  the  finite  model  property,  it  must  be  the  case  that  if  two 
CTL*  formulas  have  the  same  finite  models,  they  must  have  the  same  infinite  models  as  well.  Otherwise,  if  fx 
had  an  infinite  model  M  that  was  not  a  model  of  fv  fl  A  ->f2  would  have  an  infinite  model,  but  no  finite 
models,  contradicting  the  finite  model  property  of  CTL*  [5],  Therefore,  we  can  characterize  a  CTL*  formula 
by  the  set  of  finite  models  in  which  it  is  satisfied  If  a  CTL*  formula  is  satisfied  by  only  a  finite  number  of 
equivalence  classes  of  finite  models,  then  the  formula  is  equivalent  to  the  disjuction  of  the  CTL  formulas  that 
characterize  the  individual  equivalence  classes. 

There  are  a  number  of  directions  for  further  research.  First,  from  our  construction,  it  appears  that  the 
characteristic  formula  of  a  Kripke  structure  might  be  quite  large.  It  would  be  nice  to  have  a  lower  bound  on 
the  size  of  this  formula  in  terms  of  the  size  of  the  Kripke  structure.  Also,  we  conjecture  that  the  0(|5j4) 
algorithm  in  Section  5  can  be  improved  significantly.  Finally,  it  would  be  interesting  to  see  which  of  our 
results  carry  over  to  Kripke  structures  with  fairness  constraints,  i.e.  Biichi  automata. 
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